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The lack of perfect randomness can cause significant problems in securing communication between 
two parties. Mclnnes and Pinkas [131 proved that unconditionally secure encryption is impossible 
when the key is sampled from a weak random source. The adversary can always gain some infor- 
mation about the plaintext, regardless of the cryptosystem design. Most notably, the adversary can 
obtain full information about the plaintext if he has access to just two bits of information about the 
source (irrespective on length of the key). In this paper we show that for every weak random source 
there is a cryptosystem with a classical plaintext, a classical key, and a quantum ciphertext that bounds 
the adversary's probability p to guess correctly the plaintext strictly under the Mclnnes-Pinkas bound, 
except for a single case, where it coincides with the bound. In addition, regardless of the source of 
randomness, the adversary's probability p is strictly smaller than 1 as long as there is some uncertainty 
in the key (Shannon/min-entropy is non-zero). These results are another demonstration that quan- 
tum information processing can solve cryptographic tasks with strictly higher security than classical 
information processing. 

1 Introduction 

Random numbers play a crucial role in many areas of computer science, e.g. randomized algorithms 
and cryptography. Real world random number generators deliver imperfect (biased) randomness and 
a number of theoretical models of imperfect random number sources 12 [7] Q3] QjO were introduced 
to study possibilities to obtain perfect randomness through their software postprocessing [16|. Im- 
portance of this post-processing stems from the fact that many of its applications were designed to 
use perfect randomness, and, in fact, vitally require it for a reasonable performance. Devices based 
on quantum mechanical properties should theoretically serve as sources of ideal randomness 13,8] 
or even as unconditionally secure cryptosystems |Q3 [9] [T2j |T7] QjO ■ However, in real conditions they 
are extremely sensitive to the influence of environment and rely on classical post-processing of the 
measurement results. Even after these procedures the outcome is far from being perfect (see e.g. IfTTTl 
and references therein). 

Cryptography counts among fields that are highly sensitive to the quality of randomness used (see. 
e.g. |4j). One of the most prominent results showing the influence of weakness of randomness is by 
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Mclnnes and Pinkas [ 1 3 1 proving that there is no perfectly secure encryption scheme when the key 
is sampled from a weakly random source (e.g. min-entropy |7|). The authors also derived a tight 
(minimal and achievable) bound on probability that the adversary can determine the plaintext, when 
an arbitrary encryption system is used, but the key is sampled from a min-entropy source. This bound 
is a function of c — I - b, where / is the key length and b is its min-entropy (see Section 2 for definition 
of min-entropy). 

In this paper we propose an encryption of classical information using classical key and quantum 
channel (i.e. ciphertext is a quantum state) such that the adversary's probability to determine the 
plaintext is strictly smaller than the Mclnnes-Pinkas bound for all values c — I - b > 0, except for 
values c = and c = 1, where it coincides with the bound. 

The paper is organized as follows. In the second section we introduce basic definitions and recall 
the result by Mclnnes and Pinkas in detail. In the third section we introduce the encryption onto a 
quantum ciphertext. In the fourth section we derive the maximal security for the approximation of a 
continuous key. In the fifth section we deal with the consequences of the discretisation of the random 
key, whereas in the last section we summarize our results and conclude. 

2 Preliminaries 

The min-entropy of the probability distribution (random variable, source) Z is defined by 

ff M (Z) = mm (- log Pr(Z = z)). (1) 

We denote a source as (/, Z?)-source if it is emitting Z-bit strings drawn according to a probability 
distribution with min-entropy at least b. Thus, every specific /-bit sequence is drawn with probability 
smaller or equal to 2~ b . Notice that for b - I - c, the probability of each /-bit string is upper bounded 
by 2 C 2T7. and parameter c is called min-entropy loss. 

A source is (/, /?)-flat iff it is an (/, b) source and it is uniform on some subset of 2 sample points 
i.e., all probabilities are either or 2 . 

We are going to consider the following scenario. Alice and Bob share a secret key k that is used 
to determine the encoding (decoding) function. In this setting the plaintext is a single, uniformly 
distributed bit and the ciphertext is (arbitrarily long, but finite) bitstring. The encryption system is 
specified by the set of encoding rules 

e k :X^Y (2) 

parameterized by the keys k e K, with X = {0,1} being the set of plaintexts and Y being the set of 
ciphertexts. To each encoding function there is the corresponding decoding function d k that perfectly 
recovers the original input, i.e. 

V/t e K d k o e k = id x . (3) 

Let X be the random variable describing the probability distribution of the plaintext and X' random 
variable describing adversary's estimate given by his decoding strategy. Security is parameterized by 
adversary's ability to recover the original plaintext 

p = V p r (X = x\X = x)Pr(X = x). (4) 

xeX 

In the Mclnnes and Pinkas paper, for a given length of the key / and a parameter c the key is 
distributed according to an (/, / - c) distribution. Parameters / and c are part of the cryptosystem 
design, the adversary is assumed to know the actual (biased) distribution K of the key (but not the 
value k of the key). The probability p to reveal the plaintext the adversary can achieve for an arbitrary 
cryptosystem, a suitable (/, / - c) source and a uniformly distributed plaintext is lower bounded by 



P 2 



> i 



1 for 2 < c < I 

\ + f for 2 - log 2 3 < c < 2 (5) 
■ f for0<c<2-log 2 3. 



/, Bouda, M. Pivoluska, M. Plesch 3 



In particular, they have shown that the (maximal achievable) securit)|] ! is independent of / and no 
security can be achieved if c > 2. 

3 Quantum ciphertext 

In our solution we consider encoding classical plaintext to a quantum ciphertext. The encoding func- 
tion is of the form 

e k : X -» SCH) (6) 

parameterized by the key keK, with X = {0, 1} being the set of plaintexts, 'H a suitable Hilbert 
space and SCH) the set of (possibly mixed) states on the Hilbert space fi, i.e. positive trace one 
operators acting on < H. In our further analysis we limit ourselves to only a single quantum bit, i.e. 
to two-dimensional Hilbert space 'H = ( H%. Extensions to higher dimensional Hilbert spaces will be 
discussed in the conclusion. 

The decoding procedure consists of measurement of the received quantum system aiming to dis- 
tinguish between states ejt(0) and e^l). The correctness requirement gives (regardless of fi) that for 
every k the states e^O) and e^l) must be orthogonal. For a qubit, this is only possible if all of them 
are pure states. Let us use the notation e^Q) = |</<>) and e,t(l) = \<j>k), with the orthogonality condition 

<0/#a> = (7) 

for all k's. 

To obtain the encoded bit, Bob (knowing the key) adjusts his measurement device accordingly 
to obtain a well defined result discriminating between |^) and \<j>k). For this purpose a standard von 
Neumann measurement is fully sufficient. On the other hand, the adversary's knowledge is limited to 
the (known) probability distribution on keys. He has to discriminate between the average states 

po = J] P(K = *) |<fe> and pi = 2 P ( K = k ) l**> <**l ■ ( g ) 

keK keK 

Analogously to the classical case, the effectiveness of the adversary's strategy is given by the proba- 
bility p given by Eq. Q. The adversary's strategy is thus to maximize this probability by perfor ming 
a minimum error measurement, which is a simple two outcome von Neumann measurement [5 , 61 1141 . 
Without the loss of generality we can choose a basis so that the state po ([8]) has the form 

with a > j. Due to the orthogonality condition ^ the state p\ has the form 

The optimal measurement of the attacker is thus just the spin z projection measurement and the prob- 
ability to get a correct outcome (determine the original plaintext) then reads 



-Tr|p -pi| + 1 



(ID 



" Probability of making a correct guess by the adversary is bounded from below by the formula j3J independently of /. However, 
such security is achievable only for a cryptosystem with high enough /, for smaller / the achievable probability for the attacker 
rises further. 
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4 Continuous code 

In this section we assume that Alice and Bob share a random key that is continuous, e.g. a single 
complex number. Such a coding can uniformly cover the state space of a single qubit H, which can 
be depicted as a Bloch sphere. Later, in Section [5] we will show that there exists a discrete coding 
that approximates the continuous coding introduced in this section with an arbitrary precision (with 
respect to adversary's probability to reveal the plaintext). 

Suppose that Alice and Bob know (or expect) that the random key they share can be biased by a 
certain amount. Their aim is to choose the coding in such a way that any partial knowledge about the 
key by an eavesdropper would lead to as small probability of obtaining the correct encrypted bit as 
possible. This is naturally achieved by a smooth coverage of the state space (Bloch sphere) in such a 
way that the probability density of selected states will be equal on all points of the sphere. 

The first important observation is that we can fix an arbitrary adversary's measurement P = |0)(0| 
by fixing the basis and determine the key distribution that is optimally distinguished by the measure- 
ment. This can be done as all measurements are unitarily equivalent, i.e. for each pair of measure- 
ments there is a unitary rotation of the sphere that maps one measurement to the other. Hence, if there 
is an optimal distribution for one measurement, for any other measurement there exists a (different) 
distribution giving the same result. 

Let us define a source with min-entropy loss at most c for continuous spaces. According to ([T| a 
discrete source with length / and min-entropy // M (Z) has min-entropy loss c — I - Hoo(Z): 

c = I - (Z) 
= Z-mm(-logPr(Z = z)) 

= max(Z + logPr(Z = z)) 

zeZ 

= max(log(|Z|Pr(Z = z))). (12) 

Equation ( fl2] > can be easily extended to continuous space by changing maximalization to sup. |Z| 
has to be changed to the volume of the probability space 'H and probability function Pr becomes 
probability density function fi. 

Now let us define a continuous weak source over space 'H with min entropy loss c as a set of 
probability density functions for which 

c=suplog(|<H|//(^)). (13) 

ipe'H 

After additional simplification it is easy to see that the condition reads sup^ fi (0) = ^ . 

Let us consider all distributions on the sphere such that for any state on the sphere its probability 
density is at most 2 c |7f|~ > with \H\ being the area of the surface of the Bloch sphere. Later, in Section 
[5] we show that such distributions are analogous to discrete min-entropy sources. Flat distributions 
correspond to continuous distributions where only a 2~ e fraction of all possible keys would appear 
with equal nonzero probability density. 

Let us now examine a situation, where the adversary prepares for Alice and Bob a flat distribution 
on the subset of size 2~ e \H\ (i.e. the keys are selected with equal probabilities from 2~ c fraction of all 
possible keys). We propose a distribution fi opt (\<f>)) defined as 



former 
1 elsewhere 



for Y = \\(f>) e <H; \{0\<p)\ 2 > g; \Y\ = 2~ e \<H\) for some suitable constant g dependent on c. Let us 
assume that Alice encodes (uniformly at random) into one of the states from Y. The probability to 
obtain the correct outcome of the measurement P is 

Po P ,= f Vop t i\4>))\(0\<p)\ 2 dct>=-^—- f \(0\<f>)\ 2 d<f>. (14) 

J-H * I'll J\<p)eY 
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Let p(\4>)) be any distribution with pQip)) < 2 C] (H\ everywhere, i.e. we restrict ourselves to 
distributions corresponding to discrete min-entropy (/, I - c) distributions. We will now prove that 
the distribution p p, is optimal among these distributions, i.e there is no other distribution such that 
the adversary can obtain a higher probability to detect the correct ciphertext. Let us calculate this 
probability for a general distribution p (\<p)) 

p= f //(|0))|<O|0)| 2 # 
= f /,(|0))KO|0)| 2 <i0 + f p(\cf>})\(0\<p}\ 2 d<p 

J|0>€7 J\<f>)e\Y 

= f p op <m\{m\ 2 d$+ f \M(\<p})-fi op ,(\ct>})]\(om 2 dct>+ f ^(|0»i<oi^>i 2 

J\0)eY J\(f>)eY J\<t>)e\Y 

= Po P ,+ f \p(\<p})-p opl (\<f>})]\(0\4>}\ 2 d<p+ f ^(|0»|<O|0)| 2 #, (15) 

J\<f,)eY J\0)e\Y 

where \Y = <H-Y. 

Let us now analyze the two remaining terms in the Eq. ( 15 1. As p (|0)) < p p, (|0)) for all |0) e Y 
(recall that fx opt (\(f>)) reaches the maximal permitted value on the subset Y), the integrated function 

is non-positive on the whole area of integration (Y), |(O|0)| 2 > g on the whole area as well and thus 

the first integral can be bounded from above by g J^ eY \p (\<f>)) - Po P t (\<P))\ dip. In the last term the 

integrated function is positive, but |(O|0)| 2 < g on the whole area and thus the second integral can be 

also bounded from above by g J^ e ^ Y H (\<f>)) d<f>. Altogether we get 

p < p opl +g I \p (|0» - Pop, (\(j>))\ d<f> + g I // (\4>)) d(f>. 

J\4>)&? J\<P)e\Y 

As 

l^opt (l^)) is outside Y, we can include it into the integration outside Y with a minus sign. Now 
we join the integration through the whole space and using the normalization condition on both distri- 
butions we get 

P < Pop, + g J [p (10)) - Pop, (10))] dcf> = pop,. 

This completes the proof of the optimality of the flat fj. p, (10)) distribution. 

Recall that the state space of a single qubit represented as a Bloch sphere is proportional to a 
unit sphere with the surface equal to \H\ = An. The set Y derived above is a spherical cap on the 
Bloch sphere with the center in |0). The desired flat distribution is hence equivalent to the uniform 
distribution on a spherical cap with a surface An2~ c . The height of such a spherical cap is h = 2~ c+1 
(reaching from 2 for c — to for large c). The average state observed by the attacker in the case of 
the plaintext is the center of the mass of the surface of the spherical cap, which is on the axis of the 
cap at the height h/2. The average state then reads 

Po = \l + \<r z = p|0><0| + (1 - p) |1><1| (16) 

with 

p = l-h/4= l-2- e_1 . (17) 

The appearance of h/4 instead of h/2 is due to the renormalization of the axis: while the Bloch sphere 
has diameter 2, the parameter p changes from to 1 across the sphere. 

Accordingly, the state observed by the attacker in the case of sending 1 is p\ = (1 — p)|0)(0| + 



Observing that p > 1/2 and substituting into Eq. (Hi, the optimal adversary's probability for 
this state is also p. 
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The comparison of classical bounds and quantum approach is given in the Fig. ([TJ. It is clear 
that the probability of the adversary to correctly guess the ciphertext is for all parameters c (except 
and 1) strictly better than classical. Even more interesting, the probability is non-vanishing even for 
large c, what means that (some) privacy is established even in the case when the adversary has almost 
perfect control of the "random" key. 

5 Discrete code 

In this section we will show that for any c > and an arbitrarily small e > there exists an encryption 
system 

e k :{0,1}^S(<H) (18) 

indexed by keys from a finite set K that bounds the adversary's probability to determine the original 

plaintext by 1 - 2~ c ~' + e. 

All the derivations made in the previous section were done for continuous distribution of the states 
over the state space. If we consider a discrete finite number n of possible keys |t/r,), we can only 

approximate such distributions using a finite number of lattice points [ 10 1 uniformly distributed over 

the surface of the Bloch sphere. 

Let us assign to each single state \i/fj) its neighborhood, i.e. a subset fit of the whole Hilbert space 

such that 

(i) The surface on the Bloch sphere of each "H,- equals to — . 

(ii) Neighborhoods corresponding to different states are disjoint, i.e. V;, j \if/j) + => Irii n < Hj — 
0. 

(iii) The distance between a state and any state in its neighborhood measured in the relative 
angle on the Bloch sphere is upper bounded by O [tT 1 ^. 

For every n, there exist a set of states and its neighborhoods that fulfill the aforementioned 
conditions. This can be seen from the fact that even a suitable (by far non-optimal) distribution of 
points on yfn meridians with V« points each yields a maximal angle of ^= (for explanation see Fig. 

Q), which fulfills the third condition, whereas the first two can be fulfilled trivially. 

We will show that for any probability distribution on the n aforementioned states with min-entropy 
at least log 9 («) - c, the adversary's probability to determine the plaintext is at most p op , + e, where 
e drops as rT 1 ^ 1 . Let us fix a particular distribution (g,)" =1 on states |t/r,). We construct a continuous 
distribution n q (\4>)) = x-f for <p G The adversary's probability to obtain the plaintext in the case of 
distribution (qd" =1 on states reads (compare to Eq. ( fl4] i) 



n 

!=1 



(19) 
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Fig. 2. As there are V" meridians used, there are *Jn points on the equator. Naturally the most distant points are 
in the vicinity of the equator, as there are the meridians most distant from each other. On the picture, four points 
are depicted, two of them on meridian and two just one position above. The most distant point to any of these 
points is in the center of the formation formed by these four points. The distance c is bounded from above by 
the triangle inequality by its distance to the equator % = ^= and half of the distance between two points on the 

equator being | = A=, thus together . 



As the difference of the fidelity of the state with |0) and any state from its neighborhood with |0) 
is upper bounded by O (n ~'^ 2 ), we can approximate Eq. |l9| > by a correctly normalized integral over 
its neighborhood 



I W ; >| 2 ^£ J [| W>| 2 + O («- 1/2 )] d<p. (20) 



Substituting we get 



" r 

q " - §^ j m H [ |w>|2 + °{ n ~ ii2 )] d< t> 

=§X^.k^ lw>|2+9! ^ ("" 1/2 ) 

= f ^(l0»IW)| 2 #+y (q~0(n xil ) f dd, 



< 



Pop, 



f + 2M(«- 1/2 )) (2D 



;=1 



= p O pr + 0(n- 112 ) 

<[l+0(n-' /2 )]p opt . (22) 

Inequality pT| ) holds, because fi g satisfies all min-entropy requirements set in the previous section, 
and thus the integral can be bounded from above by p opt . The last inequality holds, because p opt is a 
positive constant, not depending on n. 

We can conclude that for any c > and an arbitrarily small e > there exist a (sufficiently large) 
n that bounds the adversary's probability to determine the original plaintext by 1 - 2~ c_1 + e. It is 
obvious that for any fixed c a suitable e can be chosen such that the probability of the adversary to 
guess the ciphertext correctly is strictly smaller than one. 

Moreover, consider a cryptosystem with only two elements k\,k2 e K such that Pr(K = k{) > 0, 
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Pr(K = k-i) > 0. Then the average states p > Pi are not pure, i.e. (in a suitable basis) 

a 
I -a 



with a, 1 - a > 0. This implies the quantity in Eq. (Hi is strictly smaller than 1 . Thus, for any 
encoding the adversary's probability to determine the original plaintext is strictly smaller than 1, as 
long as there are at least two keys with nonzero probability 

6 Conclusion 

In this paper we have shown that a quantum ciphertext can significantly increase the security of clas- 
sical communication between two parties using weak random sources. In particular, for significantly 
weak sources, where less than a quarter of keys can be used for encryption, no security can be achieved 
with a classical ciphertext. This is true independently both on the length of the key / and the length of 
the ciphertext. On the contrary, for quantum ciphertexts, some level of security can be achieved even 
if only two keys appear with non-zero probability. 

For all sources (for all values of c) the presented quantum approach is at least as good as the 
classical one. Moreover, except for c = (trivial case with perfect sources and perfect security) and 
c — 1 the quantum approach outperforms the classical for all values of c. 

It is important to stress that our result does not give a lower bound on the security one can achieve 
in this problem in general. Using encoding into systems of higher dimension (e.g. a pair of qubits 
or a qutrit) may achieve significantly better results, as more complicated encodings also using mixed 
states come into question. 
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